Ideas for Defender to be awesomer

i just got hacked in such a senior way, that i was ready to cry! I installed defender, and the hacker still walked all over me, wiping the floor with me, and dunking my head in the loo.

eventually, a couple of things would have saved my bacon – they’re not built into defender yet, so i thought i’d add it to the wish list.

1 – set the public_html permissions back to 755… and on subfolders?

2 – check all files against the repository’s version of the plugin / theme / w-press

3 – scan outside files outside the installation… for us diddlies who don’t know what should be there and what not…

4 – the checking if google’s blacklisted your site? that’s awesome. but i think i can just get there off dashboard? it doesn’t have its own entry in the menu?

5 – listing the registered users on the domain with admin rights, because not all the users show up in the admin panel, you gotta go hunt in the database for rogue ones.

6 – the ability to uninstall themes and plugins rather than upgrade them? it showed me a few plugins that weren’t actually listed in the plugins panel, but that they needed an upgrade. so – i’d really have liked to delete them, but they’re not listed anywhere, nor show up as folders under /wp-content/plugins/?

I must admit that I’m not entirely sure if a WordPress plugin would be allowed to access files outside the WP install folder without breaking any “WP rules” – which in turn could make itself a kind of “security flaw”. For sure Defender cannot do this currently though.

Fortunately Defender’s lead developer is keeping track of this thread and I’m sure he’ll consider implementation of these ideas in future if only possible.

so here’s the next question – if i do a backup with the WPMUDEV backup tool, will it see those files, and back them up too? The ones that wordfence / aiowps / defender don’t see? Theoretically that’s perfect then… :slight_smile:

Also – I’m checking out CCleaner for Windblows, and it manages to figure out if there’s a registry entry that doesn’t currently have software attached to it, if that makes sense. The *excludes expletives* human who managed to hack my site, has added tables to my DB. So it made me fink.

I’m a keen supporter of something that can clean up a database of plugin tables / fields that are no longer active? Even if that is a manual selection process of the plugins that should no longer have tables / records available to them as they’ve been decommissioned. With the warning that the site will then not remember a single bit of information when you reinstall them?

And no – I have no clue how tricky / impossible this is going to be to implement. :slight_smile:

Still to cold here. Luckily, spring is rapidly blooming so it shouldn’t take long :slight_smile:

so here’s the next question – if i do a backup with the WPMUDEV backup tool, will it see those files, and back them up too? The ones that wordfence / aiowps / defender don’t see? Theoretically that’s perfect then…

That’s again a matter of what can standards-compatible plugin “reach out”. What’s inside WP install directory should be possible to backup. Snapshot PRO gives you a choice of what to backup, including db tables.

Also – I’m checking out CCleaner for Windblows, and it manages to figure out if there’s a registry entry that doesn’t currently have software attached to it, if that makes sense. The *excludes expletives* human who managed to hack my site, has added tables to my DB. So it made me fink.

Defender performs three type of scans:

“WP Core Integrity” – that’s on a file level; it checks WP core files against any changes that’s been made there

“Plugin & Themes Vulnerabilities” – that would be closes to CCleaner though a bit different; I’m not sure if its using any heuristics but it does include a huge db of known vulnerabilites and compares your plugins and themes against them

“Suspicious Code” – that’s again a file scan an this does use some heuristics and “probability” algorithms

And no – I have no clue how tricky / impossible this is going to be to implement.

How do you rate me?

Thank you for rating your experience!

We’re thrilled to hear you had a great experience with .
Would you like to leave a comment about your experience?
Thanks for voting on your experience with , we’d love to
get some feedback please.
Ohh no! We’re really sorry to hear you didn’t have a pleasant experience with
, we’re always looking at how we can improve and would
appreciate you provide some further feedback here please.
Type your feedback here

it's great that you had a positive one. Based on your experience in this ticket would you
please be kind enough to rate us externally on: